[clug] Securing EtherApe with setcap
Bob Edwards
bob at cs.anu.edu.au
Tue Oct 11 23:56:32 UTC 2016
On 11/10/16 18:44, Bryan Kilgallin (PC) wrote:
...
> So I can close EtherApe and Terminal, and then come back later and
> launch EtherApe with sudo. And I no longer need to use setcap?
Yes, although the whole point of running the setcap command is so
that you don't need to invoke EtherApe with sudo.
If you are happy to keep invoking EtherApe with sudo, then there is
no need to change the capabilities of the executable (which is what
you are doing with setcap).
...
> The latter must be what {+eip} means.
Yes.
...
>
>> Note that if you have eg. a web server running on the same machine, it
>> also will be able to read raw packets etc. - not necessarily something
>> you would want.
>
> Might you suggest an introductory Web explanatory resource? So as for
> example to better understand what EtherApe reports.
Wikipedia? This comment wasn't so much about web servers as much as
pointing out that changing the capabilities of an executable means that
anyone (including pseudo-users such as www-data) could now invoke that
command with those capabilities. You just need to be aware of the
significance (security implications) of adding those capabilities to
that (or any other) executable. Running the setcap command is basically
saying "I know what I am doing and I have determined that it is safe
for this executable to have these additional capabilities". Which you
need to weigh up against "why aren't these capabilities just enabled
by default?".
>
>> Note that the invocation of this command does not include the closing
>> '}'.
>
> How else might I quote here?
Maybe put the closing '}' on a line by itself, so that someone
"cut-and-pasting" your command doesn't inadvertently include it.
cheers,
Bob Edwards.
>
> Regards,
> Bryan.
>
More information about the linux
mailing list